GrapheneOS now comes with new device support for Auditor app, Hardened malloc and a new website

GrapheneOS, an open source privacy and security focused mobile OS comes with Android app compatibility. The GrapheneOS releases are supported by the Auditor app as well as attestation service for hardware-based attestation. The GrapheneOS research and engineering project has been in progress for over 5 years. In March, the AndroidHardening project got renamed to GrapheneOS. Two days ago, GrapheneOS released a new website grapheneos.org with additional documentation, tutorials and coverage of topics related to software, firmware and hardware as well as privacy/security features expected in the future. The team has also released a new version PQ3A.190605.003.2019.06.03.18 with device support, Auditor app and Hardened malloc among other fixes.

Changes in GrapheneOS project

Auditor: update to version 12

The Auditor app has an added support for verifying CalyxOS on the Pixel 2, Pixel 2 XL, Pixel 3 and Pixel 3 XL and even verified boot hash display has been added. Auditor uses hardware security features on supported devices for validating the integrity of the operating system from another Android device. The Auditor app will now also verify that the device is running the stock operating system with the bootloader locked and further will check that no tampering has occurred with the operating system.

Hardened malloc

Hardened malloc is a security-focused general purpose memory allocator that provides the malloc API along with various extensions. This security-focused design leads to lesser metadata overhead and memory waste from fragmentation than a traditional allocator design.

The attestation sub-projects already have their own dedicated site at https://t.co/zM2RKempC2 with some documentation and the web interface to the optional device monitoring service. Since the hardened malloc is a standalone project, documentation is at https://t.co/XL7MgG6GqT.

It also offers substantial hardening against heap corruption vulnerabilities and aims to provide a decent overall performance focused on long-term performance and memory usage.

Hardened malloc currently supports Bionic (Android), musl and glibc and it may also support other non- Linux operating systems in the future. There’s custom integration along with other hardening features for which has also been planned for musl in the future. The hardened_malloc for GrapheneOS only is further expanded to workaround for Pixel 3 and Pixel 3 XL camera issues.

GrapheneOS now needs to move towards a microkernel-based model with a Linux compatibility layer and it needs to adopt virtualization-based isolation. According to the team, the project will have to move into the hardware space in the long term.

Many are happy with this latest update. A user commented on HackerNews, “They’re making good progress and I can’t wait to be able to update my handheld device with mainline pieces for as long as anyone who still uses one cares to update it. Currently my Samsung Android device is at Dec 2018 patchlevel and nothing I can do about it.”

Few others are skeptical about this news, another user commented, “There is security, and then there is freedom. You can have the most secure system in the world — but if there are state sponsored, or company back doors it means nothing.”